Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Brundle,
My friend had this trojan a couple of weeks ago and this is how I
helped him to get rid of the Trojan-spy.HTML -->
http://elamb.blogharbor.com/hacked/removesmithfraud.htm
More on computer Security:
elamb.org
BrundleFly wrote:
> Hi Malke,
> I've those forum links you gave me, they don't seem to be sending me
the
> activation e-mail though. I've posted my HijackThis log below in
case you or
> anyone else can help me fix it. Thanks.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
> c:\PROGRA~1\mcafee.com\vso\mcshield.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\system32\msole32.exe
> C:\WINDOWS\popuper.exe
> C:\WINDOWS\system32\intmonp.exe
> C:\WINDOWS\System32\hkcmd.exe
> C:\PROGRA~1\mcafee.com\agent\mcagent.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
> C:\WINDOWS\system32\wuauclt.exe
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
> C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
> C:\Program Files\WinZip\WZQKPICK.EXE
> C:\Program Files\blueyonder IST\bin\mpbtn.exe
> C:\Documents and Settings\Administrator\Local
Settings\Temp\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
=
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
>
http://www.qfind.net/search.php?qq=%s
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.google.co.uk/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
>
http://qfind.net/bar/index.html
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>
http://www.qfind.net/search.php?qq=%s
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://www.qfind.net/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
> http://www.blueyonder.co.uk/
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Internet
> Explorer Provided by blueyonder
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyOverride = 127.0.0.1
> O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
> O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
-
> c:\program files\mcafee.com\mps\mcbrhlpr.dll
> O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22}
-
> c:\program files\mcafee.com\mps\popupkiller.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
> c:\progra~1\mcafee.com\vso\mcvsshl.dll
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> O4 - HKLM\..\Run: [MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
> O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
> O4 - HKLM\..\Run: [MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
/embedding
> O4 - HKLM\..\Run: [MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> O4 - HKLM\..\Run: [MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
> /startup
> O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
> /checktask
> O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
> O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
> O4 - HKCU\..\Run: [MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
> Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
> O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program
> Files\blueyonder IST\bin\matcli.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
-
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
-
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
> O9 - Extra button: Microsoft AntiSpyware helper -
> {F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
> O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
> {F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
> O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
Operating
> System Class) -
>
http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
>
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111406129308
> O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) -
>
http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
cancerbacup.org
> O17 - HKLM\Software\..\Telephony: DomainName = cancerbacup.org
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
cancerbacup.org
> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
> O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
> c:\PROGRA~1\mcafee.com\vso\mcshield.exe
> O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee,
> Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
> O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte)
-
> McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
> O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
> Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
>
>
>
>
>
> "Malke" wrote:
>
> > BrundleFly wrote:
> >
> > > Hi,
> > > My system has developed a prolem. Unwanted ads keep popping up
for
> > > all
> > > sorts of trash, even when i'm not online. After i've closed the
ads
> > > they
> > > occasionally leave icons on my desktop. Also my desktop went
blue
> > > with a security warning in the middle about trojans & spyware on
the
> > > system telling
> > > me to install a program called security iguard (which i didn't).
I've
> > > managed to get rid of this (although i still can't get it to
change
> > > from blue) but now a flashing icon appears on the desktop toolbar
with
> > > messages about how my system is infected and telling me to
install one
> > > security program or another.
> > >
> > > I'm on XP professional and when this started i only had the
windows
> > > standard
> > > firewall and McAfee Virus scan. I've now upgraded to the full
McAfee
> > > Internet Security package incl firewall. I've run both adaware
and
> > > spybot, both in safe mode and normal mode, and i've turned off
system
> > > restore while i
> > > was doing all those things. The new Mcafee package picked up a
trojan
> > > and deleted it but after all of the above the problem still
persists.
> > >
> > > Any advice please?
> >
> > If you are still getting popups, then your system is still
infected.
> > Since you've already run Ad-aware and Spybot (presumably the latest
> > versions with updated definitions) in Safe Mode, move on to
HijackThis
> > and post your log at one of the HijackThis forums (not here,
please).
> > Here is information about HijackThis:
> >
> >
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> > Eshelman
> >
http://aumha.net - forums
> >
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior
HijackThis
> > forum
> > http://www.wilderssecurity.com/
> > http://forums.tomcoyote.org/
> > http://www.spywareinfo.com/forums/
> >
> > Malke
> > --
> > MS-MVP Windows User/Shell
> > Elephant Boy Computers
> > www.elephantboycomputers.com
> > "Don't Panic"
> >